From 8f5578d0f9681ef81bc71a3762a191d66a29c8b1 Mon Sep 17 00:00:00 2001 From: Noah Misch Date: Sat, 29 Mar 2014 03:12:00 -0400 Subject: Revert "Secure Unix-domain sockets of "make check" temporary clusters." About half of the buildfarm members use too-long directory names, strongly suggesting that this approach is a dead end. --- doc/src/sgml/regress.sgml | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/regress.sgml b/doc/src/sgml/regress.sgml index f9319637b90..16b36211f3d 100644 --- a/doc/src/sgml/regress.sgml +++ b/doc/src/sgml/regress.sgml @@ -58,14 +58,21 @@ make check - On systems lacking Unix-domain sockets, notably Windows, this test method - starts a temporary server configured to accept any connection originating - on the local machine. Any local user can gain database superuser - privileges when connecting to this server, and could in principle exploit - all privileges of the operating-system user running the tests. Therefore, - it is not recommended that you use make check on an affected - system shared with untrusted users. Instead, run the tests after - completing the installation, as described in the next section. + This test method starts a temporary server, which is configured to accept + any connection originating on the local machine. Any local user can gain + database superuser privileges when connecting to this server, and could + in principle exploit all privileges of the operating-system user running + the tests. Therefore, it is not recommended that you use make + check on machines shared with untrusted users. Instead, run the tests + after completing the installation, as described in the next section. + + + + On Unix-like machines, this danger can be avoided if the temporary + server's socket file is made inaccessible to other users, for example + by running the tests in a protected chroot. On Windows, the temporary + server opens a locally-accessible TCP socket, so filesystem protections + cannot help. @@ -104,17 +111,6 @@ make MAX_CONNECTIONS=10 check runs no more than ten tests concurrently. - - - To protect your operating system user account, the test driver places the - server's socket in a relative subdirectory inaccessible to other users. - Since most systems constrain the length of socket paths well - below _POSIX_PATH_MAX, testing may fail to start from a - directory with a long name. Work around this problem by pointing - the PG_REGRESS_SOCK_DIR environment variable to a substitute - socket directory having a shorter path. On a multi-user system, give that - directory mode 0700. - -- cgit v1.2.3